Published: January 19, 2022
A Safari 15 bug can leak your browsing history, as well as reveal other personal identifiers.
Findings from a browser fingerprinting and fraud detection service named FingerprintJS revealed this issue. Apple’s implementation of IndexedDB seems to be causing the bug. IndexedDB is an API that stores data in your browser.
IndexedDB upholds the same-origin policy. It means that if you were to open a malicious website in one of your tabs and an email or another webpage where you’re logged in, the malicious website wouldn’t view your email. The same-origin policy would prevent it from doing that.
However, the findings revealed that Apple violated the same-origin policy when implementing IndexedDB in Safari 15. The violation means that other websites can see the names of other databases created on other web pages. These could contain personal information.
The fraud detection service further pointed out that websites such as Google and Youtube generate unique databases for your Google ID. Google accesses the publicly available information about you through your Google ID, and the bug can leak this to other pages.
As FingerprintJS looked into sites affected by the bug, they found 30 popular websites, with Netflix and Instagram making it to the list.
As the bug affects the “Private Browsing” feature as well, there is nothing much users can do besides switch to a different browser for the time being on your macOS. However, Apple has a third-party browser ban on iOS, so all browsers were likely affected.
FingerprintJS pointed out that more sites were probably affected by the bug, and they reported this to WebKit Bug Tracker at the end of November. However, there has been no new update to Safari yet.